Network Security Sample Questions

Card Set Information

Author:
DaveGT
ID:
96160
Filename:
Network Security Sample Questions
Updated:
2011-08-04 12:35:25
Tags:
Network Security Sample Questions
Folders:

Description:
Network Security Sample Questions
Show Answers:

Home > Flashcards > Print Preview

The flashcards below were created by user DaveGT on FreezingBlue Flashcards. What would you like to do?


  1. By defining the cost of a possible security breach indicate why security is required.
    Costs may arise from:

    • Stolen Business
    • Loss of business through bad publicity
    • Network ground to a halt
    • You may fall foul of the data protection legislation
  2. Justify the statement “Security and accessibility of resources must be kept in a balance”
    In order to maintain a network and allow businesses to go about their daily tasks there has to be a preservation of a number of elements in order for the company to function properly:
  3. Availability of information
    • Accuracy of information
    • Authenticity of the information
    • Confidentiality of the information
    • Integrity of the information
  4. Discuss two reasons why computers are inherently insecure.
    • Security if an annoyance
    • Vendors need to get a product out and security
    • can be neglected
    • Hardware and software evolve quickly
    • Programmers can’t predict flaws
    • Little OS diversity
    • Vendors are not motivated to declare flaws
    • Patches if available may actually cause more
    • problems
  5. Discuss with reasons why software vendors may release software which is insecure
    • Pressure to release product by a set deadline –
    • security can be neglected
    • Not motivated to declare flaws
    • There can be thousands, if not millions of lines
    • of codes and there is bound to be errors which go unnoticed and can be exploited
    • Programmers can’t predict flaws
  6. Discuss the role of the security wheel in an organisation
  7. Describe the difference in security between and open and a closed network.
  8. Explain why as the years progress from around 1980’s to the present day the level of threat to security has risen.
  9. Describe five types of attack and how they are launched.
    • Packet sniffers: Wireshark on a network
    • Trust exploitation:
    • Password attacks: Guessing passwords, stealing
    • and cracking
    • Trojan horse: Imbedding a reverse telnet into a common file
    • Man-in-the-middle attacks: listening and intercepting packets
    • Worms:
    • VLAN:
    • IP weaknesses
    • Port redirection
    • Virus: create malicious code and release it onto the internet
    • DoS or DDoS: using a number of machines in tandem to bring down a server/network
    • Operator error
    • Application layer attacks: scan and discover vulnerabilities in software and exploit them
  10. State five types of attack and describe how you could protect yourself from them.
    • Remote password guessing:
    • Disable any unnecessary services,
    • Utilise hardware and software (native Windows) firewalls can be used to restrict access.
    • Using strong password enforcement, implemented with group polices
    • Group policy can also be used to implement account-lockout thresholds that limit the amount of login attempts.
    • Regularly reviewing logon failures in the
    • systems event logs to spot attacks and take action.

    • Eavesdropping & Man-in-the-Middle Attacks:
    • Utilise strong authentication
    • Use Public Key Cryptography for Initial Authentication (PKINIT) protocol. This uses public keys instead of passwords, and therefore does not fall victim to eavesdropping attacks.
    • Implement IPsec to authenticate and encrypt network traffic
    • Utilise and enforcing strong passwords.

    • Services Vulnerability attacks:
    • Keeping Windows systems fully up to date with patches and bug fixes using a robust update policy can be enforced using group policy
    • Continually testing the systems on the networks to identify weaknesses should be routine.
    • Restricting access and blocking services/ports.
    • Examining the system logs and monitoring the network helps to identify any attacks.

    • Application vulnerably attacks:
    • Keep up to date with the latest security patches is essential to fix vulnerabilities and reduce the number of potential buffer overflows.
    • Implementing a firewall will make it more difficult to remotely access the system
    • Implementing Anti-Virus (AV) software will help detect any suspicious files or applications.
    • Administrators should enforce a policy where everyone uses the least privileges.

    • Trojan Attacks:
    • Be observant before clicking on a file. Does the file name or icon look right? Does double clicking the file do what is intended?
    • Use AV applications to scan anything suspicious or even anything from a 3rd party
    • Check the programs that launch when an OS starts up
    • Perform checks on the registry for any unordinary commands in common places, such as the run directory.
    • Processes are another key area which should be observed.
    • Check to see what ports are open and what services are running.
  11. If a hacker is fingerprinting you, what are they doing?
    • They are looking for information, such as:
    • Company web sites -public and private
    • Related Organisations
    • Location details
    • Phone number, contact names, email addresses, and personal details
    • Current events (mergers, acquistions, layoff, charity events etc.)
    • Privacy or security policies and the technical details indicating the types of security and how they are implemented.
    • Archived information
    • Disgrunted employees
    • Search engines, Usnet and resumes
    • Other information of Interest
  12. If a hacker is scanning you, what are they doing?
    • Scanning ports
    • Trying to finds out which services are offered by a host
    • Looking for vulnerabilities
    • Looking for Open services can be used on attacks Identifying vulnerable ports
    • Open ports
    • Closed ports
    • Filtered ports
    • Best-guess assessment of which OS is running
    • Performing Ping sweeps
    • Testing ports using a variety of methods, such as Syn, ACK, FIN and UDP
    • Using tools such as Nessus, Superscan or Nmap
    • Using ICMP to ping computers
  13. If a hacker is enumerating you, what are they doing?
    • Enumeration extracts information about:
    • Resources or shares on the network
    • User names or groups assigned on the network
    • Last time user logged on
    • User’s password
    • Port scanning and footprinting
    • Determine OS being used
    • Intrusive process
    • NBT (NetBIOS over TCP/IP)
    • Tool for enumerating Microsoft OSs
  14. Explain why a security analyst should be aware of what the hacking community is up to.
  15. What is Stack Fingerprinting and how and what is it used for?
    Stack fingerprinting is the collection of configuration attributes from a remote device during standard layer 4 network communications. The combination of parameters may then be used to infer the remote machine's operating system (aka, OS fingerprinting), or incorporated into a device fingerprint
  16. What does the secure portion of the security wheel seek to accomplish and how is this done?
    • Implement security solutions to stop or prevent unauthorized access or activities, and to protect information:
    • Authentication
    • Encryption
    • Firewalls
    • Vulnerability patching
  17. What does the monitoring portion of the security wheel seek to accomplish and how is this done?
    • Detects violations to the security policy
    • Involves system auditing and real-time intrusion detection
    • Validates the security implementation in the secure step
  18. What does the testing portion of the security wheel seek to accomplish and how is this done
    Validates effectiveness of the security policy through system auditing and vulnerability scanning
  19. What does themimprovement portion of the security wheel seek to accomplish and how is this done?
    • Use information from the monitor and test phases to make improvements to the security implementation.
    • Adjust the security policy as security vulnerabilities and risks are identified
  20. Why is a security policy required?
    • To create a baseline of your current security posture
    • To set the framework for security implementation
    • To define allowed and not allowed behaviours
    • To help determine necessary tools and procedures
    • To communicate consensus and define roles
    • To define how to handle security incidents
  21. Name and discuss the network design factors upon which the security policy is based
    • Data Assessment
    • Host Addressing
    • Application Definition
    • Usage Guidelines
    • Topology/Trust Model
  22. Name and discuss the Internet threat vectors which a security policy seeks to mitigate against.
    • Vulnerabilities
    • Denial of service
    • Misuse
    • Reconnaissance
  23. Describe what could be found from looking at a company’s “current events list” which would help in footprinting the company.
    • Mergers
    • Acquisitions
    • Layoff
    • Charity event
    • Shares information
    • Names of high level employees
    • Location of events
    • Mergers, acquisitions,
    • Scandals
    • rapid hiring
    • reorganizations
    • outsourcing,
    • extensive use of temporary contractors
  24. Comment on the statement “For all your hacking needs use Google.”
    Google can find anything on the net!
  25. The search string “filetype:bak inurl:”htaccess | passwd | shadow | htusers” was entered into google. This produced the cut down image shown below.

    SCREENSHOT

    By explaining the search string, explain the information in the image and how it may help a hacker.
  26. The search string “filetype:properties inurl:db intext:password” was entered into google. This produced the cut down image shown below.

    By explaining the search string, explain the information in the image and how it may help a hacker.
  27. Why is allowing ICMP packets on you network a mixed blessing?
  28. Describe what port scanning does and what it attempts to find.
    • Scanning ports
    • Trying to finds out which services are offered by a host
    • Looking for vulnerabilities
    • Looking for Open services can be used on attacks
    • Identifying vulnerable ports
    • Open ports
    • Closed ports
    • Filtered ports
    • Best-guess assessment of which OS is running
    • Performing Ping sweeps
    • Testing ports using a variety of methods, such as Syn, ACK, FIN and UDP
    • Using tools such as Nessus, Superscan or Nmap Using ICMP to ping computers
  29. By defining the TCP connect scan and the TCP SYN scan explain how they differ in their use as a scanning methodology
    SYN scan: Stealthy scan:

    The port scanner generates raw IP packets itself, and monitors for responses. This scan type is also known as "half-open scanning", because it never actually opens a full TCP connection. The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed

    Connect scan: Completes the three-way handshake:

    The simplest port scanners use the operating system's network functions and is generally the next option to go to when SYN is not a feasible option If a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection to avoid performing a kind of Denial-of-service attack. Otherwise an error code is returned. This scan mode has the advantage that the user does not require special privileges. This method is "noisy", and Intrusion detection systems can detects these and raises an alarm.
  30. By defining port scanning offer some ways of countering it
    • Scanning ports
    • Trying to finds out which services are offered by a host
    • Looking for vulnerabilities
    • Looking for Open services can be used on attacks Identifying vulnerable ports
    • Open ports
    • Closed ports
    • Filtered ports
    • Best-guess assessment of which OS is running
    • Performing Ping sweeps
    • Testing ports using a variety of methods, such as Syn, ACK, FIN and UDP
    • Using tools such as Nessus, Superscan or Nmap Using ICMP to ping computers
    • Options Limited:
    • Shut the port
    • Leave it open
    • Try to disguise it
    • Use IDS/IPS
  31. The image below is an example of enumeration attack. By describing the nature of this type of attack use the image to identify the information this type of attack can get.

    SCREENSHOT
  32. Of what use is enumeration of DNS zone transfers?
    • Domain Name Information
    • IP address of DNS server
    • Server name
    • Back up server name
    • Website Address
    • Website IP address
    • Name of Authority
  33. Why are Windows null sessions regarded as the hackers holy grail?
    • NULL sessions take advantage of “features” in the
    • SMB (Server Message Block) protocol that exist primarily for trust relationships. You can establish a NULL session with a Windows host by logging on with a NULL user name and password. Using these NULL connections allows you to gather the following information from the host:

    • List of users and groups
    • List of machines
    • List of shares
    • Users and host SID' (Security Identifiers)

    NULL sessions exist in windows networking to allow:

    Trusted domains to enumerate resources Computers outside the domain to authenticate and enumerate users The SYSTEM account to authenticate and enumerate resources
  34. Describe the four different ways IDS’s can respond to a signature match.
    • Alarm: sends alarm to a log/email and then forwards package.
    • Reset: sends packet with a reset flag to session participants.
    • Drop: immediately drop packet
    • Block: denies traffic from source attack address
  35. Describe the differences between network based and host based attack detection.
    Network intrusion detection system (NIDS):

    • It is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to a network hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyses
    • the content of individual packets for malicious traffic. An example of a NIDS is Snort.

    • Host-based intrusion detection system (HIDS):
    • It consists of an agent on a host that identifies intrusions by analysing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC.
  36. IDS’s alarms can be categorised as either false alarms or true alarms. Define these categorise and their corresponding two subdivisions.
    • False Alarms
    • False Positive: Generates alarm on normal activity
    • False Negative: Fails to generates alarm for known intrusive activity
    • True Alarms
    • True Positive: Generates an alarm to activities matching an attack signature
    • True Negative: No alarm generated when viewing normal traffic
  37. Take X = {1,2,3,4…..,10} and let f be the rule that for each x ε X, f(x)= rx, where rx is the remainder when x2 is divided by 11. Give the image of f as the set Y.
  38. State and describe the goals of cryptography
    • Confidentiality: ensure that the content of the information is kept secret form all but those intended to see it.
    • Data integrity: ensure that there is no unauthorised alteration of the information.
    • Authentication: Identification of the parties involved and the information exchange.
    • Non-repudiation: prevents an entity from denying either the source or content of the information
  39. Describe the three cryptographic algorithms; Secret Key Cryptography, Public Key Cryptography and Hash Functions, giving their usage in cryptograph.
    Secret Key: A single key is used for both encryption and decryption. The sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same to decrypt the message and recover the plaintext. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption. With this form of cryptography, it is obvious that the key must be known to both the sender and the receiver; that, in fact, is the secret. The biggest difficulty with this approach, of course, is the distribution of the key.

    Secret key cryptography schemes are generally categorized as being either stream ciphers or block ciphers. Stream ciphers operate on a single bit (byte or computer word) at a time and implement some form of feedback mechanism so that the key is constantly changing. A block cipher is so-called because the scheme encrypts one block of data at a time using the same key on each block. In general, the same plaintext block will always encrypt to the same ciphertext when using the same key in a block cipher whereas the same plaintext will encrypt to different ciphertext in a stream cipher.

    Public Key: refers to a widely used set of methods for transforming a written message into a form that can be read only by the intended recipient. This cryptographic approach involves the use of asymmetric key algorithms, thus 2 different keys. The public key is required to transform the message to a secure form is different from the private key which is required to reverse the process. The person who anticipates receiving messages first creates both a public key and an associated private key, and publishes the public key. When someone wants to send a secure message to the creator of these keys, the sender encrypts it using the intended recipient's public key; to decrypt the message, the recipient uses the private key.

    Hash functions, also called message digests and one-way encryption, are algorithms that, in some sense, use no key. Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions, then, provide a measure of the integrity of a file.
  40. Describe Secret Key Cryptography giving its advantages and disadvantages.
    Secret Key: A single key is used for both encryption and decryption. The sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same to decrypt the message and recover the plaintext. Because a single key is used for both functions, secret key cryptography is also called symmetric encryption. With this form of cryptography, it is obvious that the key must be known to both the sender and the receiver; that, in fact, is the secret. The biggest difficulty with this approach, of course, is the distribution of the key.Secret key cryptography schemes are generally categorized as being either stream ciphers or block ciphers. Stream ciphers operate on a single bit (byte or computer word) at a time and implement some form of feedback mechanism so that the key is constantly changing. A block cipher is so-called because the scheme encrypts one block of data at a time using the same key on each block. In general, the same plaintext block will always encrypt to the same ciphertext when using the same key in a block cipher whereas the same plaintext will encrypt to different ciphertext in a stream cipher.
  41. Describe Public Key Cryptography giving its advantages and disadvantages.
    Public Key: refers to a widely used set of methods for transforming a written message into a form that can be read only by the intended recipient. This cryptographic approach involves the use of asymmetric key algorithms, thus 2 different keys. The public key is required to transform the message to a secure form is different from the private key which is required to reverse the process. The person who anticipates receiving messages first creates both a public key and an associated private key, and publishes the public key. When someone wants to send a secure message to the creator of these keys, the sender encrypts it using the intended recipient's public key; to decrypt the message, the recipient uses the private key.

    Of course, there is a possibility that someone could "pick" Bob's or Alice's lock. All public-key schemes are susceptible to brute force key search attack and man-in-the-middle attacks.
  42. Describe Hash Functions giving its advantages and disadvantages.
    Hash functions, also called message digests and one-way encryption, are algorithms that, in some sense, use no key. Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions, then, provide a measure of the integrity of a file.

    Two files could have the same hash value. Susceptible to brute force attacks using dictionary’s and rainbow tables. The password can also be guessed.
  43. Describe the concept of a digital envelop and how/why it is used
    For example two legitimate users; Alice is the sender and Bob is the receiver.

    A digital envelope comprises an encrypted message and an encrypted session key. Alice uses secret key cryptography to encrypt her message using the session key, which she generates at random with each session. Alice then encrypts the session key using Bob's public key. The encrypted message and encrypted session key together form the digital envelope. Upon receipt, Bob recovers the session secret key using his private key and then decrypts the encrypted message.
  44. Describe why key length is important in cryptography.
    In cryptography, size does matter. The larger the key, the harder it is to crack a block of encrypted data. The reason that large keys offer more protection is almost obvious; computers have made it easier to attack ciphertext by using brute force methods rather than by attacking them mathematics. With a brute force attack, the attacker merely generates every possible key and applies it to the ciphertext. Any resulting plaintext that makes sense offers a candidate for a legitimate key. This was the basis, of course, of the EFF's attack on DES.

    • Until the mid-1990s or so, brute force attacks were
    • beyond the capabilities of computers that were within the budget of the attacker community. Today, however, significant compute power is commonly available and accessible which can crack older algorithms in a matter of seconds.
  45. Describe the Diffie-Hellman algorithm and show how it allows secure communication across insecure networks
    Diffie-Hellman allows two parties — the ubiquitous Alice and Bob — to generate a secret key; they need to exchange some information over an unsecure communications channel to perform the calculation but an eavesdropper cannot determine the shared key based upon this information.

    Diffie-Hellman works like this. Alice and Bob start by agreeing on a large prime number, n. They also have to choose some number g so that g
    Anyway, either Alice or Bob selects n and g; they then tell the other party what the values are. Alice and Bob then work independently:

    • Alice...
    • Choose a large random number, x
    • Send to Bob: X = gx mod n
    • Compute: KA = Yx mod n

    • Bob...
    • Choose a large random number, y
    • Send to Alice: Y = gy mod n
    • Compute: KB = Xy mod n

    Note that x and y are kept secret while X and Y are openly shared; these are the private and public keys, respectively. Based on their own private key and the public key learned from the other party, Alice and Bob have computed their secret keys, KA and KB, respectively, which are equal to gxy mod n.

    Diffie-Hellman can also be used to allow key sharing amongst multiple users. Note again that the Diffie-Hellman algorithm is used to generate secret keys, not to encrypt and decrypt messages.
  46. Define the two categories of access control lists and by giving an example of each describe, with reasons, where they should be placed in network to be most effective.
  47. Describe the IPSec framework and its attendant protocols
    Central to IPsec is the concept of a security association (SA). Authentication and confidentiality using AH or ESP use SAs and a primary role of IPsec key exchange it to establish and maintain SAs. An SA is a simplex (one-way or unidirectional) logical connection between two communicating IP endpoints that provides security services to the traffic carried by it using either AH or ESP procedures. The endpoint of an SA can be an IP host or IP security gateway (e.g., a proxy server, VPN server, etc.). Providing security to the more typical scenario of two-way (bi-directional) communication between two endpoints requires the establishment of two SAs (one in each direction).

    • IKE
    • Provides framework for negotiating security parameter.
    • Establishment of authentication keys

    • ESP
    • Provides framework for encrypting, authenticating and securing data.

    • AH
    • Provides framework for authenticating and securing data.
  48. Describe the authentication Header protocol.
    The AH is merely an additional header in a packet, more or less representing another protocol layer above IP. Use of the IP AH is indicated by placing the value 51 (0x33) in the IPv4 Protocol or IPv6 Next Header field in the IP packet header. The AH follows mandatory IPv4/IPv6 header fields and precedes higher layer protocol (e.g., TCP, UDP) information. The contents of the AH are:

    • Next Header: An 8-bit field that identifies the type of the next payload after the Authentication Header
    • Payload Length: An 8-bit field that indicates the length of AH in 32-bit words
    • Reserved: This 16-bit field is reserved for future use and always filled with zeros
    • Security Parameters Index: An arbitrary 32-bit value that, in combination with the destination IP address and security protocol, uniquely identifies the Security Association for this datagram.
    • Sequence Number: A 32-bit field containing a sequence number for each datagram
    • Authentication Data: A variable-length, 32-bit aligned field containing the Integrity Check Value (ICV)

    • Features of the AH:
    • Used to provide data integrity.
    • Data origin authentication for IP datagram.
    • Provides protection against replays
    • Can be used alone or in combination with ESP
    • Use of the IP AH is indicated by placing the value 51 (0x33) in
    • the IPv4 Protocol or IPv6 Next Header field in the IP packet header.
    • AH requires less overhead to ESP
    • AH is never export restricted
    • AH is mandatory for IPv6 compliance
    • Uses key-hash mechanism
    • Provides NO confidentiality
  49. Describe the Encapsulation Security Payload protocol.
    The IP Encapsulating Security Payload (ESP), described in RFC4303, provides message integrity and privacy mechanisms in addition to authentication. As in AH, ESP uses HMAC with MD5, SHA-1, or RIPEMD authentication , privacy is provided using DES-CBC encryption , NULL encryption, other CBC-mode algorithms or AES

    Use of the IP ESP format is indicated by placing the value 50 (0x32) in the IPv4 Protocol or IPv6 Next Header field in the IP packet header. The ESP header (i.e., SPI and sequence number) follows mandatory IPv4/IPv6 header fields and precedes higher layer protocol (e.g., TCP, UDP) information. The contents of the ESP packet are:

    • Security Parameters Index: An arbitrary 32-bit value that, in combination with the destination IP address and security protocol, uniquely identifies the Security Association for this datagram.
    • Sequence Number: A 32-bit field containing a sequence number for each datagram
    • Payload Data: A variable-length field containing data as described by the Next Header field.
    • Padding: Between 0 and 255 octets of padding may be added to the ESP packetPad Length: An 8-bit field indicating the number of bytes in the Padding field
    • Next Header: An 8-bit field that identifies the type of data in the Payload Data field
    • Authentication Data: A variable-length, 32-bit aligned field containing the Integrity Check Value (ICV)

    • Features of ESP:
    • Provides confidentiality
    • Data origin authentication
    • Connectionless integrity
    • Anti-replay
    • Limited traffic flow
    • confidentiality
    • Service depends on SA’s options
    • Encryption done with DES or 3DES
    • Authentication/integrity done by
    • HMAC with keys of SHA-1 or MD5
    • Use of the IP ESP format is indicated by placing the value 50 (0x32) in the IPv4 Protocol or IPv6 Next Header field in the IP packet header.
    • Does not protect IP header unless in tunnel mode
  50. Describe the functionality of SNMP
    In typical SNMP uses, one or more administrative computers called managers have the task of monitoring or managing a group of hosts or devices on a computer network. Each managed system executes, at all times, a software component called an agent which reports information via SNMP to the manager.

    Essentially, SNMP agents expose management data on the managed systems as variables. The protocol also permits active management tasks, such as modifying and applying a new configuration through remote modification of these variables. The variables accessible via SNMP are organized in hierarchies. These hierarchies, and other metadata (such as type and description of the variable), are described by Management Information Bases (MIBs).

    An SNMP-managed network consists of three key components:

    • Managed device
    • Agent — software which runs on managed devices
    • Network management system (NMS) — software
    • which runs on the manager
  51. Compare and contrast RADIUS and TACACS+ in their function as AAA verifiers.
  52. Describe three different authentication methods and comment on their ease of use.
  53. Identify the main weakness of static passwords and describe three different attacks that could be launched on them.
    Susceptible to playback, theft, brute force, eavesdropping
  54. By describing the process to create a one-time password show how this makes it more secure.
    • 1. The Client –provides pass phrase
    • 2. The server provides the seed phrase and hash algorithm -MD4, MD5 or SHA-1
    • 3. These are concatenated and passed through the algorithm a number of times. Output folded/reduced to 64 bits each time.
    • 4. On log in client challenged by server who provides seed, sequence number –1 and hash used.
    • 5. Client performs the same as 3 and sends the sequence number -1thpassword to server.
    • 6. Server passes this through the hash one more time and then compares.
    • 7. Server updates its database with new sequence number and new password.

    Even if a password is intercepted or cracked it will be no use to the hacker as the next time the user logs in the password will be different.
  55. Describe what a Digital Signature is and so indicate how security is obtained through its use.
    A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document. They employ a type of asymmetric cryptography. For messages sent through a non-secure channel, a properly implemented digital signature gives the receiver reason to believe the message was sent by the claimed sender and that it was not altered in transit.

    Digital signatures are equivalent to traditional handwritten signatures in many respects; properly implemented digital signatures are more difficult to forge than the handwritten type. Digital signature schemes in the sense used here are cryptographically based, and must be implemented properly to be effective. Digital signatures can also provide non-repudiation, meaning that the signer cannot successfully claim they did not sign a message, while also claiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digital signature, so that even if the private key is exposed, the signature is valid nonetheless. Digitally signed messages may be anything representable as a bitstring: examples include electronic mail, contracts, or a message sent via some other cryptographic protocol. Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.
  56. Biometricsis considered by some as the ultimate security “password”. By describing a few biometric technologies show the advantages and disadvantages that this biometric “password” brings to security.
  57. By describing the three components of the 802.1x protocol show how the use of this protocol enhances security of a network.
    The protocol in 802.1X is called EAP encapsulation over LANs (EAPOL), which is not particularly sophisticated.

    802.1x is a standard for passing EAP over a wired or wireless LAN. With 802.1X, you package EAP messages in Ethernet frames and don't use PPP. It simply authentication and nothing more.

    802.1X uses three components:

    • The user or client that wants to be authenticated is called a supplicant.
    • The actual server doing the authentication, typically a RADIUS server, is called the authentication server.
    • The device in between client and server, such as a wireless access point, is called the authenticator.

    One of the key points of 802.1X is that the authenticator can be simple and dumb - all of the brains have to be in the supplicant and the authentication server. This makes 802.1X ideal for wireless access points, which are typically small and have little memory and processing power.
  58. Name the inherent four factors of a system which have motivated the development of The Intrusion Detection Model.
    • Motivated by four factors:
    • Most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse; finding and fixing all these deficiencies is not feasible for technical and economic reasons
    • Existing systems with known flaws are not easily replaced by systems that are more secure-mainly because the systems have attractive features that are missing in the more-secure systems, or else they cannot be replaced for economic reasons
    • Developing systems that are absolutely secure is extremely difficult, if not generally impossible
    • Even the most secure systems are vulnerable to abuses by insiders who misuse their privileges.
  59. By identifying observable patterns of system usage show how these may be used to detect intrusions.
    • Attempted Break-in: Recognised by the abnormal number of password failures
    • Masquerading or successful break-in: Logged in at an unusual time for the legitimate user. Resource usage may be that of browsing directories and executing system status commands.
    • Penetration by legitimate user: Triggers excessive protection violations. Accessing material not usually used by them.
    • Leakage by legitimate user: Leaking sensitive documents by routeing data to remote printers not normally used.
    • Similarly for Trojan horses, virus and DOS
  60. Describe some useful attributes that an IDE architecture should have
    • Collects, organizes, and analyzes information from any number of network based and host based IDS sensors;
    • Shows overall status at a glance; ·
    • Generates a report hierarchy that allows humans to start their investigation at any level and work up, down, and across as the trail leads;
    • Enables humans to interact with the system to test their intuitions;
    • Allows humans to direct further analysis and redirect how data is analyzed;
    • Is invisible to hackers and is secure, because it is physically isolated from the production network.
  61. Describe how the four active defence mechanisms of an IPS play a role in helping secure a system.
    • Detection –identify attacks
    • Prevention –stop detected attacks from happening
    • Reaction –immunise the system from further attacks from a malicious source.
    • Alert – Alerting an administrator that an attack has happened
  62. What are the benefits and disadvantages of anomaly base detection system?
    • Benefits
    • Enables tuneable control over false positives
    • Detects previously unpublished attacks
    • Drawbacks
    • Requires initial training
    • No protection while in training mode
    • Requires the updating of usage profiles
    • Enable false negatives if the traffic appears normal
    • Difficulty in correlating alarms to specific attacks
    • Can be complicated and difficult to understand
  63. Identify four cryptographic goals and show how they help secure communications.
    • Confidentiality –ensure that the content of the information is kept secret form all but those intended to see it.
    • Data integrity –ensure that there is no unauthorised alteration of the information.
    • Authentication –Identification of the parties involved and the information exchange.
    • Non-repudiation –prevents an entity from denying either the source or content of the information.
  64. Describe the differences between stream and block ciphers
    Secret key cryptography schemes are generally categorized as being either stream ciphers or block ciphers. Stream ciphers operate on a single bit (byte or computer word) at a time and implement some form of feedback mechanism so that the key is constantly changing. A block cipher is so-called because the scheme encrypts one block of data at a time using the same key on each block. In general, the same plaintext block will always encrypt to the same ciphertext when using the same key in a block cipher whereas the same plaintext will encrypt to different ciphertext in a stream cipher.
  65. Describe the encoding method used by block ciphers.
    covered in slides
  66. Researches in 2004 found that it was possible to have two different files produce the same hash output. As a security administrator describe with reasons why or why not you should be worried about this.
    Hash functions are sometimes misunderstood and some sources claim that no two files can have the same hash value. This is, in fact, not correct. Consider a hash function that provides a 128-bit hash value. There are, obviously, 2128 possible hash values. But there are a lot more than 2128 possible files. Therefore, there have to be multiple files — in fact, there have to be an infinite number of files! — that can have the same 128-bit hash value.

    The difficulty is finding two files with the same hash! What is, indeed, very hard to do is to try to create a file that has a given hash value so as to force a hash value collision — which is the reason that hash functions are used extensively for information security and computer forensics applications. Alas, researchers in 2004 found that practical collision attacks could be launched on MD5, SHA-1, and other hash algorithms.

    In 2004 there is was no obvious successor to MD5 and SHA-1 that could be put into use quickly; there are so many products using these hash functions that it could take many years to flush out all use of 128- and 160-bit hashes. That said, NIST announced in 2007 their Cryptographic Hash Algorithm Competition to find the next-generation secure hashing method. Dubbed SHA-3, this new scheme will augment FIPS 180-2. A list of submissions can be found at The SHA-3 Zoo. The SHA-3 standard may not be available until 2011 or 2012.
  67. By defining a hash function identify security application which could use it.
  68. Explain why key length has a bearing on the security of encrypted data.
    In cryptography, size does matter. The larger the key, the harder it is to crack a block of encrypted data. The reason that large keys offer more protection is almost obvious; computers have made it easier to attack ciphertext by using brute force methods rather than by attacking the mathematics. With a brute force attack, the attacker merely generates every possible key and applies it to the ciphertext. Any resulting plaintext that makes sense offers a candidate for a legitimate key. This was the basis, of course, of the EFF's attack on DES.

    • Until the mid-1990s or so, brute force attacks were
    • beyond the capabilities of computers that were within the budget of the attacker community. Today, however, significant compute power is commonly available and accessible which can crack older algorithms in a matter of seconds.
  69. By defining the three cryptographic trust models: Web of Trust, Kerberos, and Certificates highlighting their strengths and weaknesses
    • The web of trust employed by Pretty Good Privacy (PGP) users, who hold their own set of trusted public keys.
    • Strengths:
    • To the best of publicly available information, there is no known method which will allow a person or group to break PGP encryption by cryptographic or computational means
    • PGP's web of trust is easy to maintain and very much based on the reality of users as people.
    • Weaknesses:
    • Limited: just how many public keys can a single user reliably store and maintain?
    • What if you are using the "wrong" computer when you want to send a message and can't access your keyring?
    • How easy it is to revoke a key if it is compromised?
    • PGP may also not scale well to an e-commerce scenario of secure communication between total strangers on short-notice.
    • Kerberos, a secret key distribution scheme using a trusted third party.
    • Strengths:
    • Kerberos overcomes many of the problems of PGP's web of trust, in that it is scalable and its scope can be very large
    • It is already integrated into a wide variety of software platforms
    • Weaknesses:
    • Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in
    • Kerberos has strict time requirements, which means the clocks of the involved hosts must be synchronized within configured limits and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail.
    • Since all authentications are controlled by a centralized KDC, compromise of this authentication infrastructure will allow an attacker to impersonate any user.
    • Kerberos servers have to have knowledge of all client systems prior to any transaction, which makes it unfeasible for "hit-and-run" client/server relationships as seen in e-commerce.

    • Certificates allow a set of trusted third parties to authenticate each other and, by implication, each other's users
    • Strengths:
    • No need to distribute multiple key pairs
    • Each organization participating can administer its own keys
    • Weaknesses:
    • Complexo
    • More expensive than symmetrical keying
    • A document being distributed to multiple users must be encrypted multiple times
  70. Highlight a number of ways encrypted data can be compromised.
    • Mishandling or human error
    • Deficiencies in the cipher itself
    • mathematical formula
    • open public scrutiny.
    • reasonable amount of time.
    • no useful weaknesses
    • Brute force attacks
  71. What would be the best way of identifying any weaknesses in a cipher?
  72. By defining why key management is important, identify the key components in a key management system.
    If an attacker uncovers the key to an encryption technique that could lead to a system and data being compromised. Keys must be protected in order to prevent this happening and a reliable management system can do this.
  73. Key generation
    • Key storage and key archiving
    • Key distribution and key protection
    • Key accounting and key history
    • Key usage and key renewal
    • Key revocation and key distribution, which can also include key archiving
  74. State the three packet inspection techniques of a firewall and describe how they differ from one another.
    • Packet Filtering Overview:
    • All incoming packets are compared against defined rules corresponding to a limited command set for one or more low-level protocols. Packets are either denied and dropped or passed here.
    • Packets which pass all the rules are either passed up the stack for further processing or sent on to the remote host.
    • Packet Filtering Features:
    • Physical network interface
    • Sources address of data
    • Destination address of data
    • Type of transport layer
    • Transport layer source and destination port
  75. Circuit Level Filtering Overview:
    • All incoming packets are compared against defined rules composed from acommand set to the Transport layer. Packets are either denied and dropped or passed here. Transport layer maintains state information about a network session in a virtual circuit table.
    • Packets which pass all the rules and the virtual circuit table are either passed up the stack for further processing or sent onto the remote host.
    • Circuit Level Filtering Features:
    • Unique session identifier
    • State of the connection
    • Sequencing information
    • Source and destination addresses
    • Network interface through which packet transits
  76. Application Layer Filtering Overview:
    • The incoming network packets propagate up a “hardened stack until it reaches the highest protocol layer found in the packet.
    • The move out the network stack to the application proxy listening on that port.
    • The Packet data and header information form highest protocol layer.
    • The proxy service compares data against acceptable command rules using accept and deny lists.
    • The service may perform data modification, authentication, logging, URL filtering etc
    • Packets are either dropped or sent onto the host’s port or a remote host.
    • Application Level Filtering Features:
    • Evaluates network packets for valid data at
    • the application layer.
    • It examines the data in all network packets at the application layer and maintains complete connection state and
    • sequencing information.
    • Can validate other security items that only appear within the application layer data, such as user passwords and service requests.
    • Provide increased access control
    • Generate audit data about traffic
  77. Describe the three firewall technologies: bastion host, screened subnet and dual firewall high lighting their strengths and weaknesses.
    A bastion host is a special purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of the firewall or in the DMZ and usually involves access from untrusted networks or computers. It provides a secure gateway into and out of a network however it is particularly vulnerable to attacks because of its exposure to the internet. If the bastion is breach then typically the network will be compromised.

    In network security, a screened subnet firewall is a variation of the dual-homed gateway and screened host firewall. It can be used to separate components of the firewall onto separate systems, thereby achieving greater throughput and flexibility, although at some cost to simplicity. As each component system of the screened subnet firewall needs to implement only a specific task, each system is less complex to configure. Often used to establish a DMZ. It protects the inner private network whilst allowing a company to utilise a DMZ where it can put web servers and other machines that do not contain sensitive data. Thus allows for communication whilst minimising the risk their sensitive data is compromised.

    A dual firewall infrastructure is similar to a screened subnet, except there is an inner firewall protecting the private network and also an external firewall protecting the DMZ. This increases security as an attacker would have to bypass two firewalls and provides increased flexibility. However it also increases the complexity of the security infrastructure and may affect performance.
  78. What strengths do VPN’s have over the traditional WAN technologies like Frame Relay?
    • Extend geographic connectivity
    • Improve security
    • Reduce operational costs versus traditional WAN
    • Reduce transit time and transportation costs for remote users
    • Improve productivity
    • Simplify network topology
    • Provide global networking opportunities
    • Provide telecommuter support
    • Provide broadband networking compatibility
    • Provide faster ROI (return on investment) than traditional WAN
  79. VPN’s can be placed into three categories: hardware, firewall and software. Discuss the strengths and weaknesses of each category
    • Hardware Based
    • Most are encrypting routers
    • As plug and play as is possible to find
    • May not be flexible enough

    • Firewall Based
    • Take advantage of a firewall’s security mechanisms.
    • Hardened OS
    • Performance may be an issue for an already loaded device.

    • Stand-alone application Based
    • Ideal for those occasions where the end points are not controlled by one company.
    • Require familiarity with OS and application.
    • The best where modest performance is requirements
  80. What are the advantages offered by VPN’s?
    • Extend geographic connectivity
    • Improve security
    • Reduce operational costs versus traditional WAN
    • Reduce transit time and transportation costs for remote users
    • Improve productivity
    • Simplify network topology
    • Provide global networking opportunities
    • Provide telecommuter support
    • Provide broadband networkingncompatibility
    • Provide faster ROI (return on investment) than traditional WAN
  81. Describe how VPN’s carry out their function of securing data transport between geographically distant points.
    A virtual private network (VPN) is a secure way of connecting to a private Local Area Network at a remote location, using the Internet or any insecure public network to transport the network data packets privately, using encryption. The VPN uses authentication to deny access to unauthorized users, and encryption to prevent unauthorized users from reading the private network packets. The VPN can be used to send any kind of network traffic securely, including voice, video or data.

    VPNs are frequently used by remote workers or companies with remote offices to share private data and network resources. VPNs may also allow users to bypass regional internet restrictions such as firewalls, and web filtering, by "tunneling" the network connection to a different region.

    Tunnel endpoints must authenticate before secure VPN tunnels can establish. The VPN protocol encapsulates network data transfers using a secure cryptographic method such as IPsec, SSL/TLS or SSTP between two or more networked devices which are not on the same private network, to keep the data private as it passes through the connecting nodes of a local or wide area network
  82. By describing the goals of IPsec show how its framework accomplishes the goals.
    • Counter
    • Loss of privacy
    • Loss of data integrity
    • Identity spoofing
    • Denial-of-service.
    • All with no expensive hardware and application rewrites

    Central to IPsec is the concept of a security association (SA). Authentication and confidentiality using AH or ESP use SAs and a primary role of IPsec key exchange it to establish and maintain SAs. An SA is a simplex (one-way or unidirectional) logical connection between two communicating IP endpoints that provides security services to the traffic carried by it using either AH or ESP procedures. The endpoint of an SA can be an IP host or IP security gateway (e.g., a proxy server, VPN server, etc.). Providing security to the more typical scenario of two-way (bi-directional) communication between two endpoints requires the establishment of two SAs (one in each direction).

    • IKE·
    • Provides framework for negotiating security parameter.
    • Establishment of authentication keys

    • ESP
    • Provides framework for encrypting, authenticating and securing data.

    • AH
    • Provides framework for authenticating and securing data
  83. Compare and contrast the three locations of encryption: application layer, network layer and link layer to establish the strengths and weaknesses of each method.
    • Hash functions are well-suited for ensuring data integrity because any change made to the contents of a message will result in the receiver calculating a different hash value than the one placed in the transmission by the sender. Since it is highly unlikely that two different messages will yield the same hash value, data integrity is ensured to a high degree of confidence.
    • Secret key cryptography, on the other hand, is ideally suited to encrypting messages, thus providing privacy and confidentiality. The sender can generate a session key on a per-message basis to encrypt the message; the receiver, of course, needs the same session key to decrypt the message.
    • Key exchange, of course, is a key application of public-key cryptography (no pun intended). Asymmetric schemes can also be used for non-repudiation and user authentication; if the receiver can obtain the session key encrypted with the sender's private key, then only this sender could have sent the message. Public-key cryptography could, theoretically, also be used to encrypt messages although this is rarely done because secret-key cryptography operates about
    • 1000 times faster than public-key cryptography.
  84. State and explain the two modes of IKE.
    • In main or aggressive mode the peers do:
    • Negotiate an IKE protection suite
    • Authenticate each other
    • Exchange keying material to protect the IKE session
    • Establish the IKE SA
    • This defines a secure IKE channel to establish IPsec SA’s through

    • In the one mode, quick the peers do
    • Negotiate IPsec policies
    • Exchange keying material of IPsec SAs
    • Establish IPsec SAs
    • Periodically renegotiates IPSec SAs to ensure security
    • Optionally performs an additional Diffie-Hellman exchange
  85. Explore the pro’s and con’s of using IKE as opposed to manual keys.
    • Eliminates the need to manually specify all the IPSec security parameters in the crypto maps at both peers.
    • Allows you to specify a lifetime for the IPSec security association.
    • Allows encryption keys to change during IPSec sessions.
    • Allows IPSec to provide anti-replay services.
    • Permits Certification Authority (CA) support for a manageable, scalable IPSec implementation. Allows dynamic authentication of peers.
    • IKE negotiation uses UDP on port 500

    Originally, IKE had numerous configuration options but lacked a general facility for automatic negotiation of a well-known default case that is universally implemented. Consequently, both sides of an IKE had to exactly agree on the type of security association they wanted to create — option by option — or a connection could not be established. Further complications arose from the fact that in many implementations the debug output was difficult to interpret, if there was any debug routine at all.

    The IKE specifications were open to a significant degree of interpretation, bordering on design faults (Dead-Peer-Detection being a case in point), giving rise to different IKE implementations not being able to create an agreed-upon security association at all for many combinations of options, however correctly configured they might appear at either end.
  86. By identifying the fields within an IP packet that NAT typically changes explain why AH will not work with NAT.
  87. If you were trying to establish an IPsec connection through NAT explain which protocol(s) and option(s) with reasons you would use.
    AH runs the entire IP packet, including invariant header fields like source and destination address, through a message digest algorithm to produce a keyed hash. This hash is used by the recipient toauthenticate the packet. If any field in the original IP packet is modified, authentication will fail and the recipient will discard the packet. AH is intended to prevent unauthorized modification, source spoofing, and man-in-the-middle attacks. But NAT, by definition, modifies IP packets. Ergo, AH + NAT cannot work.

    The other IPsec protocol, the Encapsulating Security Payload (ESP), also employs a message digest algorithm for packet authentication. But unlike AH, the hash created by ESP does not include the outer packet header fields. This solves one problem, but leaves others.
  88. Describe how the Public Key Infrastructure User-Centric Model works paying particular attention to its strengths and weaknesses.
    For example Bob knows/trusts Alice and has her public key

    • Alice knows/trusts Joe and has his public key
    • Therefore Bob and Joe can trust each other through knowing Alice

    • CA Certification Authority is a trusted third party
    • Expensive so only really usable by large groups of people like corporations and government.
    • Although not making much headway in the
    • Business to consumer market it is very scalable.
    • It is adaptable for the Business to Business transactions
  89. Encryption ciphers may have weaknesses. Describe some of these weaknesses and how they could be mitigated
  90. Show diagrammatically the 5 message mutual authentication exchange. A 3 message
    mutual authentication exchange is shorter but has a serious flaw. Identify the flaw and describe how it can be overcome.
  91. Write down some characteristics that a good authentication protocol should have and why
  92. Name and discuss the parameters which drive the Intrusion Detection Models
    • Most existing systems have security flaws that render them susceptible to intrusions, penetrations, and other forms of abuse; finding and fixing all these deficiencies is not feasible for technical and economic reasons
    • Existing systems with known flaws are not easily replaced by systems that are more secure-mainly because the systems have attractive features that are missing in the more-secure systems, or else they cannot be replaced for economic reasons
    • Developing systems that are absolutely secure is extremely difficult, if not generally impossible
    • Even the most secure systems are vulnerable to abuses by insiders who misuse their privileges.
  93. Why do companies use VPN’s?
    • Extend geographic connectivity
    • Improve security
    • Reduce operational costs versus traditional WAN
    • Reduce transit time and transportation costs for remote users
    • Improve productivity
    • Simplify network topology
    • Provide global networking opportunities
    • Provide telecommuter support
    • Provide broadband networking compatibility
    • Provide faster ROI (return on investment) than traditional WAN
  94. Discuss the critical components of VPN’s from a company’s point of view
    • Organisational Management
    • Access Control
    • Traffic Control
  95. Define the SNMP message formats and what they are used for.
    • GetRequest.
    • Specific values can be fetched without establishing a TCP connection with the device.
    • GetNextRequest/GetBulkRequest
    • Enable a “walk” through or bulk collection of SNMP values for a device.
    • SetRequest.
    • This provides a way of configuring and controlling network devices via SNMP.
    • TrapMessage.
    • Enables notify of problems to a manager.
    • InformRequest
    • Returns the variable from the various “get” messages.
    • InformRequest
    • Acknowledge asynchronous notifications from manager to manager
  96. What is the SNMP MIB?
    • Management Information Base (MIB). See RFC 1213
    • The MIB has a hierarchical database which defines the variables that reside in a managed node·
    • Defined according to the Structure of Management Information (SMI) rules
    • Each managed object is described using an object identifier defined in the SMI
    • Objects include:
    • Measure and monitor IP activity
    • TCP activity
    • UDP activity
    • IP routes
    • TCP connections
    • interfaces
  97. Describe how the security of SNMP is organised
    • Who
    • Communities –the relationships between SNMP entities
    • What
    • The community profile made up of the MIB view and the SNMP access mode.
    • How
    • Read-only-Public community
    • Read/write -Private community
    • none
  98. Describe what RMON is and the essential difference between RMON1 and RMON2
    • Is a MIB
    • Based on IETF RFCs
    • Gathers statistics by analysing every frame on a segment
    • RMON1 is for data link layer
    • RMON2 is for the network layer to the application layer
    • Work with an external probe
  99. What is the role of the syslog server in a security setting?
    Syslog is a standard for logging programmmessages. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyses them. It also provides devices which would otherwise be unable to communicate a means to notify administrators of problems or performance.

    Syslog can be used for computer system management and security auditing. It is supported by a wide variety of devices (like printers and routers) and receivers across multiple platforms. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository.

    It can be configured to log issues using a severity level such as emergencies, alerts, critical, errors etc. Administrators can setup notifications if a severity level is met. Thus if something significant is happening within a computer systems security an administrator can be notified straight away and take action.
  100. By defining a hash function describe where it could be used in cryptography
    Hash functions, also called message digests and one-way encryption, are algorithms that, in some sense, use no key. Instead, a fixed-length hash value is computed based upon the plaintext thatbmakes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions, then, provide a measure of the integrity of a file.
  101. IPsec goals can be said to prevent: loss of privacy, loss of data integrity, identity spoofing, and denial-of-service. Explain how the framework achieves this.
    Central to IPsec is the concept of a security association (SA). Authentication and confidentiality using AH or ESP use SAs and a primary role of IPsec key exchange it to establish and maintain SAs. An SA is a simplex (one-way or unidirectional) logical connection between two communicating IP endpoints that provides security services to the traffic carried by it using either AH or ESP procedures. The endpoint of an SA can be an IP host or IP security gateway (e.g., a proxy server, VPN server, etc.). Providing security to the more typical scenario of two-way (bi-directional) communication between two endpoints requires the establishment of two SAs (one in each direction

    • IKE
    • Provides framework for negotiating security parameter.
    • Establishment of authentication keys

    • ESP
    • Provides framework for encrypting, authenticating and securing data.

    • AH
    • Provides framework for authenticating and securing data.
  102. The SNMP protocol is sometimes classed as inefficient and complex, but yet is still used. Explain this apparent contradiction.
    • Strengths
    • Wide spread popularity
    • Flexible and extensible protocol

    • Weaknesses
    • Anything but simple
    • Inefficient use of bandwidth

    While the protocol maybe less than perfect it is the only way to manage large networks.

    SNMP allows the DIFFERENCES of state to be monitored and reported
  103. What part does IKE play in the setting up of an IPsec tunnel?
    • IKE
    • Provides framework for negotiating security parameter.
    • Establishment of authentication keys

    The IKE protocol uses UDP packets, usually on port 500, and generally requires 4-6 packets with 2-3 turn-around times to create an SA on both sides. The negotiated key material is then given to the IPsec stack. For instance, this could be an AES key, information identifying the IP endpoints and ports that are to be protected, as well as what type of IPsec tunnel has been created. The IPsec stack, in turn, intercepts the relevant IP packets if and where appropriate and performs encryption/decryption as required. Implementations vary on how the interception of the packets is done—for example, some use virtual devices, others take a slice out of the firewall, etc.

What would you like to do?

Home > Flashcards > Print Preview